Cyber is emerging as Iran’s weapon of choice for dealing with both domestic and foreign opponents.
For more than a decade, the Islamic Republic has waged a relentless cyberspying campaign against Iranian dissidents. Following its discovery of the Stuxnet cyberattacks on its nuclear program in 2010 and the imposition of new sanctions on Iran’s oil and financial sectors starting in 2011, it retaliated by conducting cyber attacks against petroleum-sector targets in Saudi Arabia and the U.S. financial sector. Meanwhile, it dramatically ramped up cyber spying efforts against foreign officials engaged in Iran policy, particularly in the United States, and cyber reconnaissance activities against critical infrastructure in the U.S. and elsewhere.
These events underscore the growing importance Tehran attaches to its cyber capabilities, which are likely to assume an even greater role in the coming years.
So what explains Iran’s interest in cyber?
First, it fits well with elements of Iran’s strategic culture: a preference for ambiguity, standoff, and indirection when conducting potentially high-risk activities, enabling it to better manage this risk. Second, because of the difficulty attributing responsibility for a cyber attack quickly and convincingly—since cyber forensics do not rely on physical evidence in the traditional sense—cyber may provide Tehran a degree of deniability.
Third, international cyber norms remain inchoate, and Iran hopes to shape them so that its cyberspying and offensive cyber operations become a tolerated form of behavior, much like its use of terrorism is tolerated by many. Fourth, Iran’s cyber activities support the regime’s narrative that the country is an emerging scientific and technological force. Indeed, Iran is blessed with world-class human capital in this area; its students have repeatedly placed high in recent STEM Olympiads, though political and economic conditions at home and tempting opportunities abroad often cause many to seek jobs outside the country.
Finally, cyber allows Iran to strike at adversaries globally, instantaneously, and on a sustained basis, and to potentially achieve strategic effects in ways it cannot in the physical domain.
However, the threat of cyberattacks against Iran touches on Tehran’s deepest fears. Because the Islamic Republic came to power through revolution, survival is its foremost concern and counterrevolution its ultimate nightmare. It believes that U.S. soft warfare—efforts to inculcate foreign ideas, values, and ideologies in order to undermine the Islamic Republic, often conducted via cyber-enabled means such as social media and the Internet—is a greater threat to the regime’s survival than a foreign military strike or invasion.
Thus, Tehran believes that cyber enables its domestic opponents to organize, and its foreign enemies to undermine the regime through soft warfare. However, it also provides the regime with unprecedented means to monitor the country’s population, to defend itself against domestic and foreign threats, and to strike at its enemies.
In the past decade, Iran’s cyber toolkit has evolved from a low-tech means of lashing out at its enemies by defacing websites and conducting DDoS attacks to a central pillar of its national security concept. In fact, cyber may be emerging as a fourth leg of Iran’s current deterrent and warfighting triad. This triad currently consists of the ability to disrupt maritime traffic in the Strait of Hormuz; conduct unilateral and proxy terrorism on several continents; and launch long-range missile and rocket strikes against targets throughout the region.
Iran, however, cannot close the Strait of Hormuz without greatly harming its own interests because nearly all of its oil and gas exports and nearly all of its imports pass through this choke point. Its ability to wage terrorism has, moreover, atrophied in recent years, while since 9/11 its adversaries have greatly enhanced their ability to disrupt its terrorist activities. And although its missile arsenal—the backbone of its strategic deterrent—provides critical capabilities, its use would expose Iran to retaliation because the origins of missiles are easily ascertained.
Cyber operations entail less risk and provide Tehran with options not provided by the other legs of its current triad. Thus, Iran is almost certainly considering the battlefield use of cyber to disrupt enemy missile defenses, command and control, aerial and naval unmanned systems, and logistics—which in the United States are hosted on unclassified computer networks. Its network reconnaissance activities seem to indicate that it is developing contingency plans to attack its enemies’ critical infrastructure. It might also target entities that it believes enable U.S. “soft warfare” activities: media outlets, purveyors of popular culture, think tanks seen as hostile to Iran, universities, and U.S. government agencies perceived to be directing these efforts. And it may opt to target culture and media outlets that it believes have mocked or insulted the sensibilities of the country’s leadership.
Iran’s cyber activities show that a third-tier cyber power can carry out significant nuisance and cost-imposing attacks, though it has not yet demonstrated an ability to conduct strategic critical-infrastructure attacks. Moreover, U.S. experience with Stuxnet demonstrates that even advanced cyber powers may face challenges achieving strategic effects, due to the complexity of the target, and constraints—self-imposed or otherwise—on the conduct of offensive cyber operations. This assessment, however, may not hold for all types of infrastructure targets and could change as cyber reconnaissance and attack tools become more sophisticated.
Iran has shown that it prefers to respond in-kind to cyberattacks, though if thwarted, it is not clear whether it would respond in the physical domain. However, because the functioning of the U.S. economy, critical infrastructure, and military depend on relatively vulnerable computer networks, Iran is likely to always find a way of responding in-kind, even if symbolically. Because America lives in a cyber “glass house,” the most effective way to deter adversaries like Iran in the cyber domain, may be by threatening military action in the physical domain.
Yet, the United States has a longstanding credibility gap that could complicate such efforts. Its muted reaction to the 1983 Beirut Marine barracks and 1996 Khobar Towers bombings, and to Iran’s support for Shiite militant groups that attacked U.S. forces in Iraq following its 2003 invasion, taught Tehran that it can wage proxy warfare against the United States without risking a military response or paying an unacceptable price. Washington’s embrace of Stuxnet to avert an Israeli military strike on Iran’s nuclear program probably reinforced the perception that it was reluctant to challenge Tehran in the physical domain. Paradoxically, this milestone use of offensive cyber may have inadvertently undermined cyber deterrence. Redressing this credibility gap will be key to future efforts to deter Iran in both cyber and physical domains.